The invention disclosed herein relates generally to systems and methods for providing an authorization framework for applications. More particularly, the present invention provides for declaratively specifying authorization enforcement points and associating them with permission classes and subclasses by using declarations that map constants, local variables, or instance variables to permission classes and subclasses such as Java Permission, PermissionFactory, PrivilegedAction and PrivilegedActionFactory classes.
Providing security measures that allow granularity involves establishing a complex set of relationships between principals and permissions for authorizations to run or use certain processes in applications. A “principal” is an entity in the computer system to which permissions are granted, and is also called a “target application” herein, which contains classes of objects, or “target classes.” Examples of principals include processes, objects and threads. A “permission” is an authorization by the computer system that allows a principal to perform a particular action or function. In many cases, the principals also involve user-oriented processes, such as a user interface providing authorized access to a database, wherein the permission to be granted is to allow the user interface access to the database so the user may have access.
There are several systems implemented for use with Java “permission” classes, such as the system described in U.S. Pat. No. 6,047,377 to Gong (“Gong”). Gong describes a method and apparatus for establishing and maintaining complex security rules. The security rules are established through the use of permission classes that have the ability to inherit attributes and methods. For example, a permission super class is established that defines an interface to a validation method. A permission subclass may then be created which provides an implementation of the validation method. When invoked, the validation method indicates whether a given permission represented by one object belonging to a permission class encompasses the permission represented by another object belonging to a permission class. Classes are also provided for grouping permissions into sets, and for establishing protection domains for classes of objects. However, using the system described in Gong, in order to introduce new permission subclasses, or to change permission subclasses, developers are still required to perform considerable programming, or re-programming, to change the references to those subclasses for each authorization enforcement point in a target application containing those references.